Logging of information about events for tasks and policies
Dec 4, 2023
This section provides calculations associated with event storage in the database of the Administration Server and offers recommendations on how to minimize the number of events, thereby reducing the load on the Administration Server.
By default, the properties of each task and policy provide for storing all events related to task execution and policy enforcement.
However, if a task is run quite frequently (for example, more than once per week) and on a fairly large number of devices (for example, more than 10,000), the number of events may turn out to be too large and the events may flood the database. In this case, it is recommended to select one of two options in the task settings:
- Save events related to task progress. In this case, the database receives only information about task launch, progress, and completion (successful, with a warning or error) from each device on which the task is run.
- Save only task execution results. In this case, the database receives only information about task completion (successful, with a warning or error) from each device on which the task is run.
If a policy has been defined for a fairly large number of devices (for example, more than 10,000), the number of events may also turn out to be large and the events may flood the database. In this case, it is recommended to choose only the most critical events in the policy settings and enable their logging. You are advised to disable the logging of all other events.
In doing so, you will reduce the number of events in the database, increase the speed of execution of scenarios associated with analysis of the event table in the database, and lower the risk that critical events will be overwritten by a large number of events.
You can also reduce the storage term for events associated with a task or a policy. The default period is 7 days for task-related events and 30 days for policy-related events. When changing the event storage term, consider the work procedures in place at your organization and the amount of time that the system administrator can devote to analyzing each event.
It is advisable to modify the event storage settings in any of the following cases:
- Events about changes in the intermediate states of group tasks and events about applying policies occupy a large share of all events in the Kaspersky Security Center database.
- The Kaspersky Event Log begins showing entries about automatic removal of events when the established limit on the total number of events stored in the database is exceeded.
Choose event logging options based on the assumption that the optimal number of events coming from a single device per day must not exceed 20. You can increase this limit slightly, if necessary, but only if the number of devices on your network is relatively small (fewer than 10,000).